Be careful about your captchas

A nifty little program which Trend Micro detects as TROJ_CAPTCHAR.A disguises itself as a strip-tease game, wherein a scantily-clad “Melissa” agrees to take off a little bit of her clothing. However, for her to strut her stuff, users must identify the letters hidden within a CAPTCHA. Input the letters correctly, press “go” and “Melissa” reveals more of herself.

However, the “answers” are then sent to a remote server, where a malicious user eagerly awaits them. The “strip-tease” game is actually a ploy by ingenious malware authors to identify and match ambigious CAPTCHA images from legitimate sites, using the unsuspecting user as the decoder of the said image.

I am not sure if this would work to “decode” the captchas all the time because I know that some sites generate a different captcha image if you take too long to fill in the information. Still, it would work in some cases and it’s a scheme to be careful about because you could see variations on the scheme to trap people. (Via Seth Godin)